Jwt-auth: Does the refresh_ttl reset when the token is refreshed?
For example, if I have these settings:
ttl => 5refresh_ttl => 60
And the user initially logs in at 12:00, then the token will expire at 12:05 and the user has until 13:00 to refresh the token.
If the user refreshes the token at 12:15, does the refresh_ttl get reset, so that the user has until 13:15 to refresh the token, or does it stay at 13:00?
Because currently, my code does the latter (i.e. it will stay at 13:00 regardless of whether or not the user refreshes the token before then).
Is that normal behavior?
Here is my refresh token method:
public function refreshToken(Request $request)
{
$token = JWTAuth::getToken();
try
{
$newToken = JWTAuth::refresh($token);
}
catch (TokenExpiredException $e)
{
return response()->json([
'success' => false,
'data' => [
'errors' => [
'auth_token' => [
'token_expired'
]
]
],
], $e->getStatusCode());
}
catch (TokenInvalidException $e)
{
return response()->json([
'success' => false,
'data' => [
'errors' => [
'auth_token' => [
'token_invalid'
]
]
],
], $e->getStatusCode());
}
catch (JWTException $e)
{
return response()->json([
'success' => false,
'data' => [
'errors' => [
'auth_token' => [
'token_absent'
]
]
],
], $e->getStatusCode());
}
return response()->json([
'success' => true,
'data' => [
'auth_token' => $newToken
],
], 200);
}
user498452
All 9 comments
obviously it will send a new token with changed 'TTL' are you getting the new token and attaching the new token with subsequent requests?
jampack
on 3 Jun 2017
Yes, I use the new token in every new request, but I think you might be confusing my question.
I'm asking if the refresh_ttl gets reset when the user refreshes their token?
So if the user initially logs in at 12:00 (which means that they have until 13:00 to refresh the token), and the user refreshes their token at 12:30, does the refresh_ttl get set back to 13:30 or is it supposed to stay at 13:00?
user498452
on 3 Jun 2017
it gets to 13:30
jampack
on 3 Jun 2017
Okay, then that's my problem, and I'm not sure why.
For some reason, my refresh_ttl doesn't get reset when the user refreshes their token.
If a user initially logs in at 12:00, and then refreshes the token at 12:55, they will still be logged out at 13:00 because the server will return token_expired.
Any ideas why this might be happening given my code?
@tymondesigns
user498452
on 3 Jun 2017
@akkhan20 is incorrect. Your experience is as expected (although I can see why you would think otherwise)
It's something I'm considering at the moment. I'm thinking of a few options.
One of which is making the behaviour follow your example, where after a refresh, the token iat claim is extended and further refreshes simply extend that time frame.
Another option is to have a totally separate refresh token, similar to OAuth2 flows where only a separate refresh_token can be used to obtain a new valid token.
Hope that answers your question
tymondesigns
on 4 Jun 2017
Thanks for the clarification.
It definitely makes more sense for the iat to extend after an auth token is refreshed. I'm surprised that that's not what it already does.
user498452
on 4 Jun 2017
@tymondesigns I don't really want to force my users to have to re-login unless absolutely necessary, so can refresh_ttl be set to null?
user498452
on 4 Jun 2017
tymondesigns
on 4 Jun 2017
hriverahdez
on 19 Dec 2018
Related issues
mcblum
路
48Comments
pereiracinthiag
路
32Comments
rajabishek
路
49Comments
MatanYadaev
路
42Comments
homeoftheunits
路
29Comments
Most helpful comment